what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SAP NetWeaver J2EE DAS Service Unauthorized Access

SAP NetWeaver J2EE DAS Service Unauthorized Access
Posted Oct 18, 2015
Authored by Alexander Polyakov

In SAP NetWeaver AS JAVA, it is possible to call some of the DAS files without authorization because they do not check if a user is authorized to access some of the JSPs.

tags | advisory, java
SHA-256 | 17e930af4bcb201a5b3c49123d1dd0c39290d43e9d66e4289fe5cec29479a0e8

SAP NetWeaver J2EE DAS Service Unauthorized Access

Change Mirror Download
ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS
service - Unauthorized Access


Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA, probably others
Vendor URL: http://SAP.com
Bugs: Unauthorized access
Sent: 20.04.2013
Reported: 21.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 13.10.2015
Reference: SAP Security Note 1945215
Author: Alexander Polyakov (ERPScan)


Description
1. ADVISORY INFORMATION
Title: SAP NetWeaver J2EE DAS service – Unauthorized Access
Advisory ID: [ERPSCAN-15-017]
Risk: High
Advisory URL: http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/
Date published: 13.10.2015
Vendors contacted: SAP


2. VULNERABILITY INFORMATION
Class: Unauthorized Access [CWE-284]
Impact: Unauthorized access to some functions
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score: 3.5 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range)
Network (N)
AC : Access Complexity (Required attack complexity)
Medium (M)
Au : Authentication (Level of authentication needed to exploit)
Single (S)
C : Impact to Confidentiality
Partial (P)
I : Impact to Integrity
None (N)
A : Impact to Availability
None (N)

3. VULNERABILITY DESCRIPTION
An authenticated user can use the functions of XML Data Archiving
Service access to which should be restricted. This may result in
privilege escalation.


4. VULNERABLE PACKAGES
SAP NetWeaver AS JAVA
Other versions are probably affected too, but they were not checked.


5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 1945215.


6. AUTHOR
Alexander Polyakov (ERPScan)


7. TECHNICAL DESCRIPTION
It is possible to call some of the DAS files without authorization
because they do not check if a user is authorized to access some of
the JSPs.

Most JSPs have authorization checks:

String authorization = (String) session.getAttribute("AuthRequHead");
if (authorization == null)
authorization = "";

But in 3 JSPs those checks are not included:

http://SAP_IP/DataArchivingService/webcontent/cas/cas_enter.jsp
http://SAP_IP/DataArchivingService/webcontent/cas/cas_validate.jsp
http://SAP_IP/DataArchivingService/webcontent/aas/aas_store.jsp

It means that an anonymous user can call those JSPs.

The most critical one is cas_enter.jsp.

We can create any archiving directory and also:
1) Check if there is any file or directory on the server by analyzing
the response while creating an archive store
2) Perform an SMBRelay attack by putting something like
\\remotehost\aa into the Windows root variable
3) Potentially make HTTP calls and other calls while using WebDav


8. REPORT TIMELINE
Sent: 20.04.2013
Reported: 21.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 13.10.2015


9. REFERENCES
http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/


10. ABOUT ERPScan Research
The company’s expertise is based on the research subdivision of
ERPScan, which is engaged in vulnerability research and analysis of
critical enterprise applications. It has achieved multiple
acknowledgments from the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for exposing 400+ vulnerabilities in their
solutions (200 of them just in SAP!).
ERPScan researchers are proud to have exposed new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and were
nominated for best server-side vulnerability at BlackHat 2013.
ERPScan experts have been invited to speak, present, and train at 60+
prime international security conferences in 25+ countries across the
continents. These include BlackHat, RSA, HITB as well as private
trainings for SAP in several Fortune 2000 companies.
ERPScan researchers lead project EAS-SEC, which is focused on
enterprise application security research and awareness. They have
published 3 exhaustive annual award-winning surveys about SAP
security.
ERPScan experts have been interviewed by leading media resources and
specialized info-sec publications worldwide: Reuters, Yahoo, SC
Magazine, The Register, CIO, PC World, DarkReading, Heise, and
Chinabyte, to name a few.
We have highly qualified experts in staff with experience in many
different fields of security, from web applications and
mobile/embedded to reverse engineering and ICS/SCADA systems,
accumulating their experience to conduct research in SAP security.


11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Security provider. Founded in 2010, the company operates globally and
enables large Oil and Gas, Financial, and Retail organizations to
secure their mission-critical processes. Named an Emerging Vendor in
Security by CRN, listed among TOP 100 SAP Solution Providers and
distinguished by 30+ other awards, ERPScan is the leading SAP SE
partner in discovering and resolving security vulnerabilities. ERPScan
consultants work with SAP SE in Walldorf to assist in improving the
security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions to evaluate and secure SAP
and Oracle ERP systems and business-critical applications from both
cyber-attacks and internal fraud. Usually our clients are large
enterprises, Fortune 2000 companies, and managed service providers
whose requirements are to actively monitor and manage security of vast
SAP landscapes on a global scale.
We ‘follow the sun’ and function in two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services and agile support,
operate local offices and partner network spanning 20+ countries
around the globe.


USA address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
http://erpscan.com
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close